Vincent Strubel, Director General of ANSSI, published a clarifying article on LinkedIn following debates triggered by the SecNumCloud qualification of a "hybrid" cloud offering using American technology operated by a European provider.

SecNumCloud is a qualification issued by ANSSI certifying that a cloud service presents a high level of security suited to sensitive uses by the French State and companies. The evaluation process verifies more than 1200 requirements covering technical, legal, and organizational risks.

Regarding extraterritorial law, SecNumCloud guarantees that data is not subject to non-European provisions against which customers would have no recourse. The requirement for a European provider (registered office and capitalization), the inaccessibility of data to non-European subcontractors, and operational autonomy protect against injunctions under the CLOUD Act or American FISA laws. The "kill switch" scenario is also covered: a qualified European provider cannot be forced to cut its services due to sanctions or export restrictions.

Strubel nonetheless acknowledges an important limitation: "SecNumCloud does not mean the absence of dependency." No player can "fork and maintain in autarky the entire cloud technology stack, from the Linux kernel to Openstack." A cutoff of access to non-European suppliers would lead to a progressive degradation of security.

Data localization within the European Union is mandatory, subjecting physical infrastructure to European law and facilitating intervention by CERT-FR and other state services in the event of an incident.

On the technical level, cyberattacks constitute "the most tangible threat weighing on sensitive cloud uses." The reference framework imposes strong segregation between customers, an isolated administration chain, secure update management, and systematic data encryption. Human risk is covered by an entire chapter on human resources management.

In response to frequently asked questions, Strubel specifies that hybrid offerings satisfy exactly the same requirements as other qualified offerings. He uses an illuminating metaphor: having only capitalistic criteria or only technical criteria would be like having a house "with armored shutters and bars on the windows, but whose door would be closed by a curtain."

SecNumCloud addresses two of the three digital sovereignty issues (not being an easy victim, applying one's own rules) but does not create alternative technological solutions. It is a formalized cybersecurity tool, not an industrial policy.